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1 . 0  INTRODUCTION 


This  report  provides  a  System  Hazard  Analysis  (SHA)  of  the  Crew 
Station/Turret  Motion  Base  Simulator  (CS/TMBS)  located  at  the  United 
States  Army  Tank-Automotive  Command  (TACOM)  in  Warren,  Michigan.  It 
also  provides  the  U.S.  Army  Test  and  Evaluation  Command  with  component 
descriptions  and  hazard  analyses  of  the  CS/TMBS. 

The  Crew  Station/Turret  Motion  Base  Simulator  was  designed  to  include 
provisions  for  safeguarding  personnel  and  equipment.  Safety  devices 
have  been  located  on  the  equipment  where  necessary  and  are  described 
in  the  Contraves  USA  Manual  No.  IM-27751,  "INSTRUCTION  MANUAL  FOR 
TACOM . " 

This  System  Hazard  Analysis  (SHA)  is  submitted  concurrently  with  a 
Safety  Analysis  Report  (SAR)  in  an  effort  to  obtain  a  safety  release 
for  the  Crew  Station/Turret  Motion  Base  Simulator. 

The  scope  of  this  System  Hazard  Analysis  is  the  systematic  assessment 
of  real  and  potential  hazards  associated  with  the  subsystems  of  the 
Crew  Station/Turret  Motion  Base  Simulator.  This  SHA  was  conducted  on 
the  available  system  concept  data  in  an  attempt  to  identify  hazards  and 
to  then  direct  design  efforts  toward  the  elimination  or  control  of  the 
identified  hazards. 

2 . 0  OBJECTIVES 

The  primary  goal  is  to  obtain  a  safety  release  from  the  U.S.  Army  Test 
and  Evaluation  Command  for  the  Crew  Station/Turret  Motion  Base 
Simulator  itself.  Different  payloads  (crewstations)  must  be 
individually  safety  certified.  This  report  is  issued  in  conjunction 
with  TACOM  Technical  Report  No.  13549,  "SAFETY  ASSESSMENT  OF  TACOM's 
CREW  STATION/TURRET  MOTION  BASE  SIMULATOR"  and  Contraves  USA  Manual  No . 
IM-27751,  “INSTRUCTION  MANUAL  FOR  TACOM"  in  an  attempt  to  satisfy  MIL- 
STD-882B. 

3 . 0  CONCLUSIONS 

All  known  safety  hazards  have  been  evaluated  throughout  the  design  and 
development  of  the  Crew  Station/Turret  Motion  Base  Simulator.  The 
system  is  considered  safe  to  operate  providing  the  procedures  stated 
in  the  "INSTRUCTION  MANUAL  FOR  TACOM"  are  followed. 

The  safety  devices  and  procedures  for  the  Crew  Station/Turret  Motion 
Base  Simulator  will  reduce  the  probability  of  injury  to  occupant  or 
damage  to  equipment  to  the  levels  dictated  in  MIL-STD-882B. 

There  will  be  communications  between  the  crewstation  and  the  CS/TMBS 
operator  at  all  times  during  a  test.  The  crewstation  will  also  have 
an  emergency  stop  button  in  ready  access  to  provide  the  crew  a  means 
of  stopping  the  test.  It  will  be  assumed  that  the  crew  will  meet  all 
requirements  imposed  by  the  safety  certification  of  the  crewstation. 
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4 . 0  RECOMMENDATIONS 


Upon  issuance  of  a  safety  release  for  the  Crew  Station/Turret  Motion 
Base  Simulator,  it  is  suggested  that  the  Safety  Office  at  TACOM  be 
given  power  to  approve  various  test  setups  and  issue  safety  releases 
for  them. 

5.0  DISCUSSION 

5 . 1  System  Description 

The  CS/TMBS  is  a  high-performance,  six-axis  motion  simulator  capable 
of  handling  payloads  of  up  to  25  tons.  It  recreates  the  dynamic 
motions  a  vehicle  would  experience  traveling  over  cross-country 
terrain,  while  being  capable  of  handling  a  wide  range  of  crew  stations 
from  Ml  turrets  to  smaller  crew  stations  equipped  with  computer¬ 
generated  imagery  systems. 

The  simulator  is  intended  to  replace  costly  field  testing  of  vehicles 
in  development  (or  being  modified)  with  a  controlled  laboratory 
environment  in  which  to  conduct  testing. 

The  CS/TMBS  is  considered  a  “Stewart  Platform,"  named  after  the 
researcher  who  developed  the  concept  in  the  late  sixties.  The  basis 
of  the  Stewart  Platform  was  developed  for  flight  simulators  and  has 
been  used  for  many  applications  in  laboratory  simulation.  One  feature 
which  makes  the  CS/TMBS  unique  among  the  other  known  Stewart  Platform 
systems  is  the  capability  to  handle  heavy  loads  with  a  bandwidth  motion 
of  5  Hz. 

The  CS/TMBS  was  designed  and  built  by  Contraves  USA  and  assembled 
jointly  by  Contraves  USA  and  TACOM.  All  control  compensation  was 
performed  by  TACOM.  The  CS/TMBS  is  expected  to  open  doors  to  new 
research,  development  and  testing  in  the  areas  of  gun/turret  drive 
tracking  and  stabilization  systems  along  with  man- in- the -loop  testing. 
One  potential  feature  of  the  CS/TMBS  is  the  ability  to  test  and  study 
the  soldier-machine  interface  while  in  a  dynamic  environment. 

5.2  Major  Subsystems  and  Components 

The  CS/TMBS  is  described  under  the  following  equipment  categories: 

0  Frame  Structure 
0  Supervisor  Computer 
0  Safety  Monitor  Computer 
0  Interlock  Chassis 
0  Motion  System 
0  Inertial  Measurement  Unit 
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Analog  I/O 
0  AD-100  Computer  Interface 

0  Array  Processor 
0  Encoder  Servo  Processors 
°  Hydraulic  System 


5.3  Analysis  Summary 

The  analysis  results  presented  in  the  following  pages  address  the 
hazard  potential  to  the  Crew  Station/Turret  Motion  Base  Simulator 
should  there  be  a  failure  in  any  of  the  subsystems. 

5 . 4  Assignment  of  Risk  Assessment  Codes 

The  accompanying  analysis  sheets  contain  hazard  severity  levels,  hazard 
probability  levels  and  Risk  Assessment  Codes  (RAC) .  The  hazard 
probability  levels  and  RAC  are  from  AR  385-10  Interim  Change  No.  101. 
The  hazard  severity  levels  are  from  MIL-STD-882B,  so  that  system  damage 
and  personnel  injury  can  be  included  in  the  definition  and  reflected 
in  the  hazard  assessment. 

HAZARD  SEVERITY 


a.  Category  I  -  Catastrophic.  Death  or  permanent  total 
disability;  system  loss,  major  property  damage. 

b.  Category  II  -  Critical.  Permanent  partial  disability  or 
temporary  total  disability  in  excess  of  three  months;  major 
system  damage,  significant  property  damage. 

c.  Category  III  -  Marginal.  Minor  injury,  lost  workday 
accident,  or  compensable  injury  or  illness;  minor  system  damage, 
minor  property  damage. 

d.  _  Category  IV  -  Negligible.  First  aid  or  minor  supportive 
medical  treatment;  minor  system  impairment. 


HAZARD  PROBABILITY 

a.  Frequent .  Likely  to  occur  frequently  in  life  of  system, 
item,  facility,  etc. 

b.  Probable .  Will  occur  several  times  in  life  of  item. 

c.  Occasional .  Likely  to  occur  sometime  in  life  of  item. 

d.  Remote .  Unlikely,  but  can  reasonably  be  expected  to 
occur . 
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e.  Improbable.  Unlikely  to  occur,  but  possible. 
RISK  ASSESSMENT  CODES 

1  -  Critical 

2  -  Serious 

3  -  Moderate 

4  -  Minor 

5  -  Negligible 


5 . 5  Safety  and  Interlock  System 


The  CS/TMBS  system  has  multiple  levels  of  safety  interlocks  to  assure 
the  safety  of  both  personnel  and  equipment.  The  interlock  system  is 
divided  into  five  subsystems  with  overlapping  functions  to  achieve  a 
high  level  of  hazard  protection.  Figure  1  shows  an  overall  view  of  the 
safety  and  interlock  system. 

The  safety  interlocks  are  distributed  between: 

0  Interlock  Chassis 
°  IMU  Chassis 
°  ESP  Cards 

°  Safety  Monitor  Equipment 

The  CS/TMBS  control  system  supports  two  types  of  aborts  when  a  fault 
is  detected. 

1  •  Hard  Abort  -  Hard  aborts  are  implemented  through  the  Interlock 
Chassis  and  cause  an  immediate  shutdown  of  the  simulator  by  aborting 
the  hydraulic  control  circuits.  Hard  aborts  are  used  for  fault 
conditions  that  could  be  an  extreme  or  immediate  hazard.  Conditions 
that  could  cause  the  system  to  be  uncontrollable  also  warrant  a  hard 
abort.  The  following  action  occurs  when  a  hard  abort  is  initiated: 

0  Actuator  abort  valves  open,  limiting  actuator  pressures. 

0  Servo  shutoff  valves  close,  isolating  the  actuators  from  the  servo 
valves . 

0  System  supply  valves  close,  isolating  the  CS/TMBS  system  from  the 
hydraulic  power  supply. 


2.  Soft  Abort  -  A  soft  abort  is  a  computer  controlled  shut-down  in 
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Figure  1.  Safety  and  Interlock  System  Block  Diagram 
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response  to  a  nonimminent  hazard  or  recoverable  error.  When  a  soft 
abort  error  condition  occurs,  the  CS/TMBS  controls  cause  the  system  to: 

0  Return  the  platform  to  a  neutral  position  and  orientation. 

0  Lower  the  platform  to  the  settled  position  and  abort  hydraulics. 

5.5.1  Interlock  chassis.  The  Interlock  Chassis  directly  controls  the 
CS/TMBS  system  hydraulics  to  ensure  a  safe  and  rapid  shutdown  in  the 
event  of  a  system  fault.  Various  function  cards  in  the  Interlock 
Chassis  form  the  hardware  interlock  string,  a  relay  ladder  that 
controls  the  hydraulic  solenoid  valves  via  the  Interlock  Control  box. 
The  hydraulics  cannot  be  energized  until  the  hardware  interlock  string 
is  closed  (satisfied) .  A  hard  abort  occurs  when  the  interlock  string 
opens  due  to  a  fault  detected  by  one  of  the  interlock  function  cards. 

The  Interlock  Chassis  contains  three  types  of  printed  circuit  cards, 
such  as: 

9  Interlock  Card  (4) 

0  Analog  Limit  Card  (6) 

0  Control  and  Status  Card  (3) 

Not  all  of  these  cards  are  in  the  hardware  interlock  string,  however, 
they  all  serve  a  function  in  the  safe  control  of  the  CS/TMBS. 

5. 5. 1.1  Interlock  Card  Functions.  The  Interlock  Cards  connect  to 
various  contact  closures  and  TTL  signals  in  the  CS/TMBS  system.  The 
following  functions  are  in  the  hardware  interlock  string: 

0  Retract  Limit  Switches  (6) 

°  Extend  Limit  Switches  (6) 

°  Solid  State  Relay  (SSR)  Fault 
°  IMU  Linear  Acceleration  Limit 
°  IMU  Angular  Acceleration  Limit 
0  IMU  Angular  Rate  Limit 
0  Inertial  Switch 
0  115  VAC  Power  Fail 

0  24  VAC  Power  Fail 

0  ESP  Interlock  String 
0  Console  Emergency  Stop 
°  Facility  Emergency  Stop 
0  Crew  Emergency  Stop 
0  Facility  Pressure  Switch 
0  Return  Pressure  High 
0  Return  Valve  Closed 
0  Service  Jack  Interlock 
0  Connector  Interlock 
0  System  Pressure  Critical 

Interlock  hardware  overrides  the  Retract  Limit  switches  until  the 
system  is  out  of  the  retract  limits.  Likewise,  the  System  Pressure 
Critical  {<1500  psi)  interlock  is  bypassed  until  after  the  hydraulic 
pressure  is  stabilized.  The  SSR  fault  shows  a  failure  in  one  of  the 
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Solid  State  Relays  that  drive  the  hydraulic  solenoid  valves.  The  IMU 
limits  indicate  excessive  acceleration  or  rate  has  been  detected  in  the 
IMU  Chassis.  Provision  is  made  for  a  multi-axis  inertial  switch  to  be 
mounted  in  the  crew  compartment  as  a  back-up  inertial  interlock.  The 
switch  is  calibrated  to  trip  at  a  preset  G  level  along  its  X,  Y,  and 
Z  axis.  The  115  volt  AC  Power  Fail  aborts  the  hydraulics  and  control 
system  before  the  DC  power  supply  voltages  drop  to  a  critical  level. 
A  24  volt  AC  power  failure  inherently  aborts  all  solenoid  valves,  but 
its  inclusion  in  the  interlock  string  assures  that  the  ESP's  and  Safety 
Monitor  Computer  detects  the  failure.  The  ESP  Interlock  String  input 
is  from  a  series  connection  of  the  ESP  interlock  relays.  This  direct 
path  to  the  Interlock  Chassis  provides  redundancy  in  case  of  a  multi¬ 
bus  communication  failure.  Section  5.5.2  details  the  ESP  interlocks. 
The  Emergency  Stop  buttons  allow  the  system  operator  at  the  console, 
facility  personnel  near  the  simulator  or  the  tank  crew  to  affect  an 
immediate  CS/TMBS  system  abort.  Prior  to  starting  the  system,  facility 
pressure  must  be  sensed  on  the  HPS  side  of  the  CS/TMBS  supply  valves. 
The  absence  of  facility  pressure  while  the  system  is  active  will  cause 
an  abort.  The  CS/TMBS  system  is  supplied  with  a  shutoff  valve  at  the 
return  manifold  to  facilitate  hydraulic  maintenance  operations.  The 
Return  Valve  Closed  switch  and  Return  Pressure  High  switch  guarantee 
that  the  system  cannot  be  operated  without  full  return  flow  capacity. 
Provisions  are  made  for  the  placement  of  service  jacks  in  lieu  of  the 
hydraulic  actuators  to  support  the  platform  while  maintenance  and 
repair  procedures  are  performed.  The  Service  Jack  Interlock  prevents 
system  operation  while  the  service  jacks  are  in. 

Certain  Interlock  Card  inputs  are  not  connected  to  the  hardware 
interlock  string,  but  provide  status  to  the  Safety  Monitor  Computer 
(SMC)  to: 

1.  Determine  the  current  operational  mode. 

2.  Provide  status  information  to  the  operator. 

3.  Initiate  soft  aborts  through  the  Safety  Monitor  Computer. 

These  Interlock  Card  status  inputs  are: 

0  Cylinder  Enable  (6) 

0  Pressure  High 
0  Pressure  Low 
0  Temp  High 
0  Temp  Low 
°  Oil  Low 
0  Filter  Clogged 
0  Deadman  Switch 
0  Gate  Open 
°  Crane  Proximity 
0  Remote  Enable 

The  Safety  Monitor  Computer  (SMC)  initiates  a  soft  abort  when  the 
Pressure  High,  Pressure  Low,  Oil  Temperature  High,  Oil  Reservoir  Low, 
Filter  Clogged,  Deadman  Switch,  Gate  Open,  Crane  Proximity,  Access 
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Platform  Retracted  or  Remote  Enable  interlocks  are  not  satisfied. 
Temperature  Low  is  for  operator  information  only.  It  aids  in  the 
diagnosis  of  problems  that  might  be  related  to  the  oil  being  below 
normal  operating  temperature. 

The  Motion  Consent  switch  in  the  crew  compartment  must  be  pressed 
simultaneously  with  the  Hydraulic  Start  switch  at  the  control  console 
in  order  to  open  the  supply  valve  and  commence  system  operation.  When 
the  system  is  to  be  used  without  a  crew,  the  Crew  Disable  keyswitch  at 
the  Interlock  Control  Box  bypasses  the  Motion  Enable  switch.  The 
Remote  Enable  switch  is  an  optional  contact  closure  provided  by 
customer  equipment  to  enable  system  start-up  and  initiate  soft  aborts. 

5. 5. 1.2  Analog  Limit  Card  Functions.  The  Analog  Limit  cards  control 
the  safety  interlock  system  based  on  absolute  high  and  low  limits  or 
a  tracking  comparison  between  two  signals.  These  interlock  functions 
respond  based  on  preset  high  and  low  voltage  limits: 

0  +5  volt  supply 

0  +15  volt  supply 

0  -15  volt  supply 

°  +15  volt  backup  supply 

°  -15  volt  backup  supply 

°  +28  volt  supply 

0  +12.8  volt  Moog  Rack  1  supply 

°  -12.8  volt  Moog  Rack  1  supply 

°  +12 . 8  volt  Moog  Rack  2  supply 

°  -12.8  volt  Moog  Rack  2  supply 

°  +12.8  volt  Moog  Rack  3  supply 

°  -12.8  volt  Moog  Rack  3  supply 

°  Actuator  Force  Limit 

Note:  Moog  Controls  Inc.  is  the  actuator  supplier. 

All  of  the  above  limits  are  safety  critical  and  therefore  in  the 
hardware  interlock  string  except  the  ±15  volt  backup  supplies  and  the 
+28  volt  supply  for  the  IMU  angular  rate  sensor.  These  two  interlocks 
cause  soft  aborts  through  the  Safety  Monitor  Computer.  The  Actuator 
Force  limits  may  be  thought  of  as  absolute  positive  and  negative 
{extend  and  retract)  force  limits. 

The  following  analog  limits  are  designed  as  tracking  window  comparisons 
of  two  signals.  They  are  used  to  detect  actuator  transducer  failures 
and  are  included  in  the  hardware  interlock  string. 

0  Actuator  Drive  Fault  (18) 

0  Actuator  Feedback  Fault  (6) 

An  Actuator  Drive  Fault  occurs  if  the  servo  valve  spool  position  does 
not  correspond  with  the  valve  drive  signal.  Spool  position  is  measured 
by  an  LVDT  on  the  last  stage  of  the  servo  valve.  The  valve  drive 
signal  for  each  group  of  three  servo  valves  is  subtracted  from  the 
three  demodulated  spool  position  signals.  The  resultant  signal  is  low 
pass  filtered  to  compensate  for  the  valve  bandwidth  and  the  high  and 
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low  limits  are  set  to  allow  an  error  window.  The  Drive  Faults  are 
bypassed  until  pressure  is  applied  to  the  valves  so  that  the  hydraulics 
can  be  started.  With  pressure  applied,  the  valve  drives  and  feedback 
should  track  regardless  of  whether  the  valve  is  enabled  (servo  shutoff 
valves  open) .  All  servo  valves  are  exercised  to  detect  failures  prior 
to  opening  the  servo  shutoff  valves. 

An  Actuator  Feedback  fault  occurs  if  the  force  measurement  from  the 
actuator  strain  gauges  does  not  compare  with  the  actuator  differential 
pressure  (i.e.,  force  measurement).  The  difference  signal  is  filtered 
to  compensate  for  transducer  bandwidth  and  high  and  low  tracking  limits 
are  set.  The  redundant  force  and  pressure  transducers  detect 
transducer  failure  as  well  as  excess  friction  in  the  actuator. 
Actuator  friction  causes  the  differential  pressure  to  exceed  the  force 
applied  to  the  platform.  The  Actuator  Feedback  faults  are  bypassed 
until  after  platform  liftoff  because  the  comparison  is  not  valid  until 
this  time. 

5. 5. 1.3  Control  and  Status  Card  Functions.  The  Control  and  Status 
cards  have  power  drivers  to  control  lamps,  relays,  and  solenoids.  They 
also  have  status  inputs  that  can  be  read  by  the  Safety  Monitor 
Computer,  but  are  not  part  of  the  hardware  interlock  string. 

All  of  the  Operator  Panel  indicators  are  computer  controlled  via  the 
Control  and  Status  Card.  These  lamps  are: 

°  Low,  Med,  High  Dynamics 
0  Interlock  GO 
°  HPS  ON 

°  Hydraulic  Start  (2) 

°  Hydraulic  Stop  (2) 

°  Cylinder  Mode  Indicators  (6) 

°  Axis  Mode  Indicators  (6) 

Each  lamp  is  also  connected  to  a  corresponding  status  input  that 
detects  filament  continuity  when  the  lamp  is  turned  off.  This  feature 
is  used  for  the  computer  controlled  lamp  test.  The  Safety  Monitor 
Computer  also  tests  to  verify  that  the  lamp  drivers  are  functional. 

The  following  relays  used  in  the  safety  interlock  system  are  controlled 
by  Control  and  Status  card  power  drivers: 

°  Solenoid  Power  Enable 
°  HPS  Start 
0  Supply  valve 
0  Audible  Warning 
0  Retract  Access  Platform 
°  Servo  A  Enable 
°  Servo  B  Enable 
0  Servo  C  Enable 
0  Test  Abort  A 
0  Test  Abort  B 
0  Inertial  Switch  Test 
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Solenoid  Power  Enable  energizes  a  solid  state  relay  (SSR)  that  enables 
the  24  VAC  solenoid  valve  power  transformer.  The  Safety  Monitor 
Computer  (SMC)  enables  the  24  VAC  prior  to  hydraulic  startup.  When 
this  is  enabled,  three  red  warning  strobe  lights  on  the  platform  begin 
flashing  to  warn  that  hydraulic  turn-on  is  imminent.  When  the  system 
is  ready  to  start,  the  SMC  issues  the  Retract  Access  Platform  command. 
This  is  used  to  signal  personnel  to  retract  the  entry  structure.  The 
SMC  sounds  an  Audible  Warning  horn  (on  the  Interlock  Control  Box)  prior 
to  enabling  the  hydraulics.  The  SMC  then  issues  the  HPS  start  and  when 
all  hardware  and  software  interlocks  are  satisfied,  it  opens  the 
CS/TMBS  system  supply  valves.  The  Inertial  Switch  Test  is  a  self-test 
to  verify  that  the  inertial  switch  safety  interlock  device  is  installed 
in  the  crew  compartment. 

The  Servo  A,  B,  and  C  Enable  commands  open  the  corresponding  servo 
shutoff  valves  at  the  output  side  of  the  servo  valves.  The  quantity 
and  selection  of  active  servo  valves  is  controlled  by  the  SMC  through 
relays  on  the  Control  and  Status  Card,  which  are  wired  into  the 
hardware  interlock  string.  For  safety  reasons,  (redundancy)  each 
actuator  has  two  independent  sets  of  abort  valves .  The  Test  Abort  A 
and  Test  Abort  B  outputs  allow  the  SMC  to  test  each  group 
independently . 

Three  of  the  Control  and  Status  Card  drivers  are  wired  to  the  IMU 
chassis : 

°  IMU  Self  Test 
°  IMU  Linear  Test 
°  IMU  Limit  Reset 

IMU  Self-Test  is  activated  to  perform  either  the  linear  or  angular  self 
tests.  When  the  IMU  Linear  Test  output  is  active,  the  IMU  electronics 
simulate  simultaneous  X,  Y,  and  Z  acceleration.  The  angular  self  test 
is  performed  when  the  IMU  Linear  Self  Test  output  is  inactive.  This 
test  mode  simulates  simultaneous  yaw,  pitch  and  roll  acceleration. 

The  SMC  monitors  the  following  Operator  Panel  switches  through  status 
inputs  on  the  Control  and  Status  Card: 

°  Remote/Local  Keyswitch 
°  Motion  Enable 
°  Hydraulic  Stop 
°  System  On/Off  Keyswitch 
°  Hydraulic  Start 
°  Power  On/Off  Switch 

The  system  response  to  these  switches  is  entirely  under  software 
control.  The  Power  On  switch  is  interlocked  with  the  CS/TMBS  system 
pressure  switch  to  prevent  the  system  from  being  turned  off  while  the 
hydraulics  are  on.  Without  pressure,  the  Power  OFF  will  turn  the  Power 
Supply  Chassis  off.  If  the  hydraulics  are  on.  Power  OFF  will  cause  a 
soft  abort  and  the  Power  Supply  will  remain  on  until  system  pressure 
has  dropped. 
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5.5.2  ESP  Interlocks.  Each  of  the  six  Encoder  Servo  Processor  (ESP) 
cards  has  a  relay  contact  which  is  part  of  the  safety  interlock  string. 
The  ESPs  will  close  their  portion  of  the  interlock  string  only  if 
unsafe  conditions  have  not  been  detected.  When  an  ESP  detects  an 
unsafe  condition,  the  relay  will  open,  breaking  the  interlock  string. 
Only  after  the  platform  has  settled  to  the  level  degrees  position  will 
the  ESP  then  allow  the  supervisory  processor  to  reset  the  error  which 
opened  the  interlocks.  After  the  error  has  reset,  the  ESP  will  once 
again  close  its  portion  of  the  interlock  string. 

The  following  software  interlocks  are  implemented  in  the  Encoder  Servo 
Processor : 

0  Position  Feedback  Limit 
0  Force  Feedback  Limit 
0  Power  Supply  Limits 
0  Watchdog  Timer 
0  Rate  Estimate  Limit 
0  Actuator  Friction  Limit 
0  DAC  to  ADC  Feedback 

The  position  feedback,  rate  estimate,  and  force  feedback  are  software 
limits.  The  position  feedback  limit  is  a  backup  to  the  actuator  limit 
switches.  In  operation,  the  position  feedback,  actuator  rate  estimate, 
and  force  feedback  are  compared  against  upper  and  lower  limits.  If  any 
programmed  limit  is  exceeded,  an  abort  routine  is  initiated  to  open  the 
ESP  interlock  relay. 

The  actuator  friction  is  computed  as  the  difference  between  the  force 
feedback  and  the  pressure  feedback.  If  the  actuator  friction  becomes 
unacceptably  large,  or  a  sensor  failure  occurs,  an  abort  will  be 
initiated. 

The  power  supply  voltages  presented  to  the  ESPs  are  periodically  read 
by  the  onboard  analog  to  digital  converter  and  compared  against  upper 
and  lower  limits.  If  a  supply  voltage  is  found  to  be  out  of  tolerance, 
the  ESP  will  initiate  an  abort. 

Additionally,  the  output  of  the  digital  to  analog  converter  is 
periodically  read  by  the  analog  to  digital  converter.  If  the 
difference  exceeds  a  programmed  limit,  the  ESP  will  abort  the  system. 

The  software  watchdog  is  a  re-triggerable  one-shot  that  must  be 
periodically  triggered  by  the  ESP  software.  If  the  ESP  software 
malfunctions,  the  watchdog  will  time  out  and  open  the  interlock  string, 
aborting  the  system. 

5.5.3  IMU  Chassis.  The  IMU  Chassis  hardware  is  designed  to  open  the 
safety  interlock  string  if  any  of  the  following  faults  occur: 

0  Linear  Acceleration  Limit 
0  Angular  Rate  Limit 
0  Angular  Acceleration  Limit 
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The  linear  and  angular  acceleration  limits  are  derived  from  the  IMU 
outputs  as  described  in  Section  5. 1.1. 4  of  the  TACOM  Instruction 
Manual.  The  IMU  outputs  are  processed  by  circuits  in  the  IMU  Chassis 
to  produce  voltages  proportional  to  the  linear  and  angular  acceleration 
vectors.  If  these  voltages  exceed  a  preset  limit  proportional  to  a 
value  greater  than  4g  or  30  rad/sec2,  the  interlock  string  is  opened. 
The  IMU  accelerometers  are  mounted  equidistant  from  the  turret  axis  so 
that  the  IMU  electronics  can  measure  accelerations  at  the  turret 
center.  The  Safety  Monitor  Computer  performs  self-tests  and  continuous 
operational  monitoring  of  the  IMU  outputs . 

The  IMU  Chassis  also  processes  the  signals  from  the  IMU  angular  rate 
sensor  and  aborts  the  system  if  excess  angular  rate  is  detected. 

5.5.4  Safety  Monitor  Computer.  The  Safety  Monitor  Computer  (SMC)  is 
a  single  board  computer  that  resides  in  the  Control  Chassis  Multibus 
card  cage.  The  function  of  the  safety  monitor  is  to  gather  operational 
status  and  data  from  the  control  system  commands  and  feedback  to 
determine  if  the  system  is  operating  properly.  Among  other  things,  the 
safety  monitor  checks  the  CS/TMBS  positions,  rates,  and  accelerations 
to  determine  that  the  platform  is  operating  within  the  design  and  man¬ 
rating  limits.  Figure  2  shows  a  simplified  block  diagram  of  the  SMC 
software. 

Before  the  hydraulics  can  be  enabled,  the  SMC  activates  the  self-test 
function  on  the  IMU  accelerometers  to  assure  that  they  are  operating 
properly.  After  the  self -test,  the  SMC  takes  readings  of  the  IMU  and 
compares  them  against  a  set  of  software  limits  to  ensure  that  the 
accelerations  are  not  exceeded.  If  these  limits  are  exceeded,  then  a 
soft  abort  is  initiated. 

The  SMC  also  monitors  the  status  of  all  inputs  to  the  Interlock 
Chassis.  The  SMC  will  force  an  abort  if  any  of  the  Interlock  Chassis 
inputs  that  are  in  the  interlock  string  show  incorrect  status .  In  this 
capacity,  the  SMC  provides  redundancy  to  . other  hardwired  system 
interlocks.  After  each  interlock  test  loop,  the  SMC  is  required  to  re¬ 
trigger  one-shots  in  the  interlock  chassis  to  keep  the  interlock  string 
closed.  This  feature  prevents  software  failures  from  compromising  the 
system  safety. 

The  SMC  also  monitors  itself,  the  supervisor  computer  and  the  ESPs  to 
ensure  that  the  system  is  operating  properly.  The  following  faults 
will  cause  the  SMC  to  force  a  hard  abort: 
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Figure  2.  Safety 


Monitor  Software  Block  Diagram 


0  Multibus  watchdog  (Multibus  access  timeout) 

0  Interprocessor  communication  watchdog 

-  Supervisor /Analog  I/O  checks 

-  SMC  check  of  Supervisor  Runtime  Counter 

-  Supervisor  check  of  SMC  Runtime  Counter 

-  ESP  communication  error 
0  Memory  Parity  Error 

-  Supervisor  memory  failure 

-  SMC  memory  failure 
0  Memory  Lost  Error 

-  Supervisor  code  memory  failure 

-  SMC  code  memory  failure 

The  SMC  will  abort  the  system  based  on  the  following  ESP  error 
conditions : 

0  Position  change  when  platform  should  be  motionless 
0  Rate  trip 
0  Force  feedback  limit 
0  ESP  software  watchdog  (1  ms) 

0  Multi-bus  watchdog 

0  A/D  data  not  within  acceptable  limits 
°  Friction  trip 
°  Upper  position  limit 
°  Lower  position  limit 

°  Special  lower  position  limit  (when  applicable) 

°  CPU  traps  (any  illegal  instruction) 

The  SMC  will  initiate  a  soft  abort  if  any  of  the  following  conditions 
are  detected: 

0  ESP  Command  Limit 
0  Software  Rate  Limit 
0  Software  Acceleration  Limit 
0  Turret  Weight  Test  Failure 
0  ID  code  mismatch  during  remote  scenario 
0  Array  Processor  DMA  complete  timeout 
0  System  command  timeout  on  ADI 00  link 
0  10  ms  System-Tick  Timeout 

0  Illegal  Mode  Change 
0  Crane  Proximity 
0  Power  ON /OFF  Switch  OFF 
0  System  ON/OFF  keyswitch  OFF 
0  Remote  Enable  Off 
0  Hydraulic  Temperature  High 
0  15  Volt  Backup  Supply  Failure 

0  28  Volt  Supply  Failure 

0  Filter  Clogged 
0  De adman  Switch  Open 
0  Gate  Open 

0  Hydraulic  Pressure  High 
0  Hydraulic  Pressure  Low  (not  critical) 

A  secondary  function  of  the  Safety  Monitor  Computer  is  to  log  failures 
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as  they  occur.  They  may  be  displayed  after  a  failure  to  aid  in  tracing 
the  cause  of  a  fault.  The  SMC  also  displays  the  status  of  all  the 
hardware  and  software  interlocks  on  the  operator  console  CRT.  Table 
1  lists  some  of  the  system  status  information  that  is  available  at  the 
operator  console.  All  “system  go"  status  indicators  are  green  and  "no- 
go"  status  indicators  are  displayed  in  red  so  the  operator  can  tell  at 
a  glance  if  the  system  is  operational.  The  first  interlock  function 
to  cause  the  hydraulics  to  shutdown  during  system  operation  will  be 
displayed  on  the  CRT  screen  to  aid  in  fault  diagnosis. 

The  SMC  also  is  used  as  the  operator  communication  link  to  the  system 
by  controlling  the  CRT  display  and  accepting  operator  commands  from  the 
keyboard. 

5.6  System  hazard  analysis.  The  following  pages  outline  specific 
failures,  hazard  probabilities  and  severity  and  provide  a  flow-chart 
showing  related  backup  systems. 
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Table  1 . 


Status  Display  Summary 


System  Status 

System  (OFF) (ON) 

(Low) (Med) (High)  Dynamics 
(Local) (Remote)  Mode 
EXT  System  Ready 

X  Position  Roll  Angle 

Y  Position  Pitch  Angle 

Z  Position  Yaw  Angle 


Hydraulic  Status 

Pressure  (OFF) (ON) 

Valve  (Closed) (Open) 

Pressure  (Low) (High) 

Filter  Differential  Pressure 
Oil  Temperature  High 
Oil  Level  Low 


Interlock  Status 

Emergency  Stop 
Motion  Consent  (OFF) 

Dead  Man  Switch  Disable 
Remote  Stop 
Gate  Open 
Step  Stow  Lock 
Power  Supply  Limit 
Crane  Proximity 
Acceleration  Limit 


Actuator  Status 

Subloop  Trip 
Position  Limit 
Rate  Limit 
Acceleration  Limit 
Pressure  Limit 
Valve  Drive  Fault 
Feedback  Sensor  Fault 
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